STMicroelectronics X-CUBE-AWS, STM32Cube User Manual
UM2178
User manual
Getting started with X-CUBE-AWS STM32Cube Expansion Package for Amazon Web Services® IoT
Introduction
This user manual describes the content of the X-CUBE-AWS STM32Cube Expansion Package for AWS (Amazon Web Services®) IoT (Internet of Things) Core.
The X-CUBE-AWS STM32Cube Expansion Package for AWS IoT Core™
•provides a qualified port of FreeRTOS™ to the supported boards (refer to the User Guide and FreeRTOS Qualification Guide sections on the AWS website at docs.aws.amazon.com/freertos for details)
•offloads – wherever available – the security-critical operations to the on-board STSAFE-A110 Secure Element during
–the MCU boot process
–the TLS device authentication towards the AWS IoT Core™ server
–the verification of the over-the-air (OTA) update firmware image integrity and authenticity.
It leverages the Secure Element provisioned certificate with the AWS IoT Core Multi-Account Registration feature
Refer to Section 1 General information for a presentation of AWS IoT Core™ and FreeRTOS™.
This user manual focuses on X-CUBE-AWS v2.x, which follows the v1.x versions, connecting to the same AWS IoT Core™ services and therefore compatible with the same cloud services.
X-CUBE-AWS v2.x is a different solution from X-CUBE-AWS v1.x. It is based on the complete FreeRTOS™ software distribution, which coexists with the STM32Cube environment, and not on the AWS IoT Device SDK for Embedded C single middleware library anymore.
Both the aws_demos and aws_tests FreeRTOS™ reference applications are provided:
•aws_demos is configured to illustrate the usage of the FreeRTOS™OTA Update Manager service.
•aws_tests is the test application of the AWS Qualification Program for FreeRTOS™. It is provided as a possible comparison point for the users who plan to get their product go through the qualification process. Its usage is beyond the scope of the present document.
X-CUBE-AWS version v2.0.0 is available for the B-L4S5I-IOT01A Discovery kit.
UM2178 - Rev 4 - September 2020 |
www.st.com |
For further information contact your local STMicroelectronics sales office. |
|
|
|
UM2178
General information
1General information
The X-CUBE-AWS Expansion Package is dedicated to FreeRTOS™ projects running on STM32 32-bit
microcontrollers based on the Arm® Cortex®-M processor. The descriptions in the current revision of the user manual are based on X-CUBE-AWS v2.0.0.
Note: |
Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. |
1.1What is AWS IoT Core™?
As described on the AWS website at docs.aws.amazon.com/iot,
AWS IoT Core is a managed cloud service that lets connected devices securely interact with cloud applications and other devices. AWS IoT Core also makes it easy to use AWS and Amazon services like AWS Lambda, Amazon Kinesis, Amazon S3, Amazon SageMaker, Amazon DynamoDB, Amazon CloudWatch, AWS CloudTrail, Amazon QuickSight, and Alexa Voice Service to build IoT applications that gather, process, analyze and act on data generated by connected devices.
Note: |
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. |
1.2What is FreeRTOS™?
As described on the AWS website at docs.aws.amazon.com/freertos,
FreeRTOS is an open source, real-time operating system for microcontrollers that makes small, low-power edge devices easy to program, deploy, secure, connect, and manage. FreeRTOS includes a kernel and a growing set of software libraries suitable for use across industry sectors and applications. This includes securely connecting small, low-power devices to AWS cloud services like AWS IoT Core.
Note: |
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. |
1.3What is STM32Cube?
STM32Cube is an STMicroelectronics original initiative to significantly improve designer's productivity by reducing development effort, time and cost. STM32Cube covers the whole STM32 portfolio.
UM2178 - Rev 4 |
page 2/31 |
|
|
UM2178
How does X-CUBE-AWS complement STM32Cube?
STM32Cube includes:
•A set of user-friendly software development tools to cover project development from the conception to the realization, among which are:
–STM32CubeMX, a graphical software configuration tool that allows the automatic generation of C initialization code using graphical wizards
–STM32CubeIDE, an all-in-one development tool with peripheral configuration, code generation, code compilation, and debug features
–STM32CubeProgrammer (STM32CubeProg), a programming tool available in graphical and commandline versions
–STM32CubeMonitor (STM32CubeMonitor, STM32CubeMonPwr, STM32CubeMonRF, STM32CubeMonUCPD) powerful monitoring tools to fine-tune the behavior and performance of STM32 applications in real-time
•STM32Cube MCU and MPU Packages, comprehensive embedded-software platforms specific to each microcontroller and microprocessor series (such as STM32CubeL4 for the STM32L4 Series), which include:
–STM32Cube hardware abstraction layer (HAL), ensuring maximized portability across the STM32 portfolio
–STM32Cube low-layer APIs, ensuring the best performance and footprints with a high degree of user control over the HW
–A consistent set of middleware components such as FAT file system, RTOS, USB Host and Device, TCP/IP, Touch library, and Graphics
–All embedded software utilities with full sets of peripheral and applicative examples
•STM32Cube Expansion Packages, which contain embedded software components that complement the functionalities of the STM32Cube MCU and MPU Packages with:
–Middleware extensions and applicative layers
–Examples running on some specific STMicroelectronics development boards
1.4How does X-CUBE-AWS complement STM32Cube?
X-CUBE-AWS extends STM32CubeL4 by providing a qualified port of FreeRTOS™ to the B-L4S5I-IOT01A board, with a pre-integrated secure bootloader derived from the X-CUBE-SBSFU Expansion Package and adapted to offload the most sensitive cryptographic operations to the embedded STSAFE-A110 Secure Element.
By exception to the STM32Cube physical architecture, the whole FreeRTOS™ source tree, with its own dependencies and third party libraries, is installed as a whole, as a third-party middleware in the STM32Cube source tree.
UM2178 - Rev 4 |
page 3/31 |
|
|
UM2178
Amazon Web Services® IoT Core
2Amazon Web Services® IoT Core
Figure 1. Amazon Web Services® IoT Core ecosystem
2.1Online documentation
The user application presented in this document relies on FreeRTOS™ and AWS (mostly the AWS IoT Core™ services).
General documentation, user guide, developer guide, porting guide, OTA Firwmare Update guide, and others are available on the AWS website.
Most of the documentation of the OTA demo application on the FreeRTOS™ web site (documentation of the OTA library, Basic OTA Demo (with Code Signing) page) is also relevant – with differences in the Configuring the Demo Project section, due to the usage of the multi-account device registration method on the B-L4S5I-IOT01A board.
While Section 5.2.2 User application configuration provides a quick guide on how to get and authorize AWS
credentials, the information presented in this document cannot substitute for the Amazon™ information, which is the reference.
2.2Account configuration, device registration, device provisioning
The included B-L4S5I-IOT01A user applications use the Multi-Account Registration feature of the AWS IoT Core™ service.
A unique immutable X.509 device certificate is stored in the physical device at production time, in the STSAFEA110 Secure Element. This certificate must be extracted from the physical device to be registered at AWS when the logical device (called thing in AWS terminology) is created by the user.
The instructions of the present section must be followed through before proceeding to the operations in Section 5.2.2 User application configuration and launch.
UM2178 - Rev 4 |
page 4/31 |
|
|
UM2178
Account configuration, device registration, device provisioning
Step 1. Extract the device certificate.
This is done in two steps (refer to Section 4.3 Programming a firmware image to the STM32 board and Section 4.2 Virtual terminal setup)
a.Program and run the image Projects/<board_name>/Applications/BootLoader_STSAF E/STSAFE_Provisioning/Binary/Provisioning.bin so that the STSAFE-A110 Secure Element and the MCU bootloader are paired and may communicate securely with each other.
b.Build, program and run the image Projects\<board_name>\Applications\Cloud\aws_d emos\<toolchain>\PostBuild\SBSFU_<board_name>_aws_demos.bin.(no need to configure in the source code at this stage). Copy the PEM format certificate displayed on the virtual terminal to a text file. It is referred to it as “my_extracted_cert.pem” in the next steps.
The .bin file above is automatically produced by the post-build stage of the aws_demos application build project. Refer to Section 5.1.3 Building the whole firmware image for information on the SBSFU build system.
Important: The .pem file must exactly contain the text block starting with (and including) ----- |
BEGIN |
|||
CERTIFICATE----- |
and ending with ----- |
END CERTIFICATE----- |
. |
|
=[SBOOT] System Security Check successfully passed. Starting...
=[FWIMG] Slot #0 @: 8105000 / Slot #1 @: 8036000 / Swap @: 81d5000
======================================================================
= |
(C) COPYRIGHT 2017 STMicroelectronics |
= |
= |
Secure Boot and Secure Firmware Update |
= |
= |
= |
======================================================================
=[SBOOT] STATE: WARNING: SECURE ENGINE INITIALIZATION WITH FACTORY DEFAULT VALUES!
=[SBOOT] STATE: CHECK STATUS ON RESET
INFO: A Reboot has been triggered by a Software reset!
Consecutive Boot on error counter = 0
INFO: Last execution detected error was:No error. Success.
=[SBOOT] STATE: CHECK NEW FIRMWARE TO DOWNLOAD
=[SBOOT] STATE: CHECK KMS BLOB TO INSTALL
=[SBOOT] STATE: CHECK USER FW STATUS
=[SBOOT] LOADING CERTS FROM SECURE ENGINEOK
=[SBOOT] Verifying the Certificate chain... OK
=[SBOOT] Verify Header Signature... OK A valid FW is installed in the active slot
-version: 1
=[SBOOT] STATE: VERIFY USER FW SIGNATURE
=[SBOOT] CHECKING IMAGE STATE = SFU_IMG_CheckImageState Image State = 1
=[SBOOT] IMAGE STATE OK = [SBOOT] STATE: EXECUTE USER FIRMWARE0 524 [Tmr Svc] WiFi module initialized.
1 532 [Tmr Svc] Device Certificate (DER), size = 402 2 537 [Tmr Svc] Device Certificate (PEM), size = 600
-----BEGIN CERTIFICATE-----
MIIBjjCCATSgAwIBAgILAglQvgEhzCJbATkwCgYIKoZIzj0EAwIwTzELMAkGA1UE
BhMCTkwxHjAcBgNVBAoMFVNUTWljcm9lbGVjdHJvbmljcyBudjEgMB4GA1UEAwwX
U1RNIFNUU0FGRS1BIFBST0QgQ0EgMDEwIBcNMjAwMjI2MDAwMDAwWhgPMjA1MDAy
MjYwMDAwMDBaMEYxCzAJBgNVBAYTAkZSMRswGQYDVQQKDBJTVE1pY3JvZWxlY3Ry
b25pY3MxGjAYBgNVBAMMEVNUU0FGRS1BMTEwIEVWQUwyMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEv/XwIjVwhq0S9R1fCeQj8QXr6y3AcXMJIFOtV2GpGhxAkseK
QeIe2tMoAkzwwmDdixmFwT/pJuHYvZu6IY6n4TAKBggqhkjOPQQDAgNIADBFAiBq
1p9SL6sAXB1zKsgX9Pr68tKDjKbb2ZZTPcSQ5cU9oAIhAIWMVkv4wIL02v8JXzRN
HSRb1zUmb840Eo6c2rJKPG6a
-----END CERTIFICATE-----
3 595 [Tmr Svc] WiFi Firmware Version C3.5.2.5.STM.
Step 2. Sign-in to or create an AWS account.
Set the required user, access rights and policies for the multi-account registration mechanism. Note that the multi-account registration relieves from creating and provisioning the IoT device credentials. For this specific point, refer to step 5. below. Possible references are:
–The Setting up your AWS account and permissions section of the FreeRTOS™ User Guide on Amazon™ website
–The Getting started with AWS IoT Core section of the AWS IoT Developer Guide
UM2178 - Rev 4 |
page 5/31 |
|
|
UM2178
Account configuration, device registration, device provisioning
Step 3. Create an IoT thing policy.
This policy is called “my_iot_policy” in the next steps. Users having used AWS IoT Core™ in the past (for instance with X-CUBE-AWS v1.x) can reuse their thing policy.
Step 4. Install and setup the AWS CLI.
In addition to the default section, set the profile adminuser section in ~/.aws/credentials with
–region
–aws_access_key_id
–aws_secret_access_key
Users with personal AWS accounts given the required access rights may simply copy the [default] settings to the [profile adminuser] section.
Step 5. Register the device.
–Register the X.509 certificate copied from the device console:
aws iot register-certificate-without-ca --certificate-pem file:// my_extracted_cert.pem --status ACTIVE
Note the contents of the certificateArn field that is returned by the command, called “my_device_cert_arn” in the next steps. Its format is: arn:aws:iot:<my_region>:<my_account_id>:cert/<my_extracted_cert_id>
–Create the thing:
aws iot create-thing --thing-name my_thing_name
–Empower the thing by granting its certificate with the access rights defined in the thing policy:
aws iot attach-policy --policy-name "my_iot_policy" --target "my_device_cert_arn"
aws iot attach-thing-principal --thing-name my_thing_name --principal my_device_cert_arn
–Retrieve the address of the IoT Core endpoint:
aws iot describe-endpoint --endpoint-type iot:Data-ATS
It is called “my_endpoint_name” in the next steps in the User application configuration section. Its format is:
<account-specific_prefix>-ats.iot.<my_region>.amazonaws.com.
UM2178 - Rev 4 |
page 6/31 |
|
|
UM2178
Package description
3Package description
3.1Logical software architecture
The top-level architecture of the X-CUBE-AWS Expansion Package is shown in Figure 2.
Figure 2. X-CUBE-AWS software architecture
|
|
|
|
|
|
|
|
|
|
|
|
Custom user application |
|
|
|
|
FreeRTOS™ |
|
|
||
|
|
|
Demos |
Tests |
|
|||||
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Secure bootloader |
|
|
|
|
Platform abstraction port |
|
|||
|
|
|
|
|
|
|
|
|
|
|
Applications |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Key management services |
|
|
|
|
FreeRTOS™ |
|
|
||
|
|
|
FreeRTOS kernel |
IoT SDK |
|
|||||
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
STSAFE-A |
|
Secure Engine |
|
|
Libraries such as mbedTLS, tinycbor and others |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
Middleware |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
Board support package (BSP) |
|
|
Hardware abstraction layer (HAL) |
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
Drivers |
|
|
|
|
|
|
|
|
|
PC software
Utilities
CMSIS
STM32 |
|
STSAFE-A110 |
|
Wi-Fi® module |
|
Sensors |
Hardware components
B-L4S5I-IOT01A
Development boards
The Expansion Package provides a FreeRTOS™ software distribution for STM32Cube. It is composed of:
•FreeRTOS™ standard user applications (aws_demos and aws_tests) and their platform abstraction port to the B-L4S5I-IOT01A board by means of the STM32L4 Series HAL and ISM43362 eS-WiFi driver.
•FreeRTOS™ and its internal dependencies.
•STM32Cube HAL: this driver layer provides a generic multi-instance simple set of APIs (application programming interfaces) to interact with upper layers (application, libraries and stacks). It is composed of generic and extension APIs. It is directly built around a generic architecture and allows the layers that are built upon, such as the middleware layer, to implement their functionalities without dependencies on the specific hardware configuration for a given microcontroller unit (MCU). This structure improves the library code reusability and guarantees an easy portability onto other devices. It includes:
–STM32L4 Series HAL
•Board support package (BSP) layer: the software package must support the peripherals on the STM32 boards apart from the MCU. This software is included in the board support package. This is a limited set of APIs, which provides a programming interface for certain board-specific peripherals such as the LED and user button. It includes:
–Low-layer driver for the Inventek ISM43362 eS-WiFi module
–Sensor drivers for the B-L4S5I-IOT01A board (not used by the applications provided)
UM2178 - Rev 4 |
page 7/31 |
|
|
UM2178
Folder structure
•Secure bootloader, key management and image state management application derived from the X- CUBE-SBSFU Expansion Package, relying on its companion middleware components and on-board STSAFE-A110 component.
The software is provided as a .zip archive containing source-code.
The following integrated development environments are supported:
•IAR Systems - IAR Embedded Workbench® (EWARM), version 8.32.3 or higher
•STMicroelectronics - STM32CubeIDE, version 1.3.0 or higher
3.2Folder structure
3.2.1STM32Cube view
Figure 3 presents the top folder structure of the X-CUBE-AWS Expansion Package. Figure 4, Figure 5, and Figure 6 further detail the top folder contents.
Figure 3. Top folders
Figure 4. Drivers folder
BSPv1 drivers for the bootloader applications.
BSPv2 drivers for the user applications.
Board component drivers,
for instance, the sensors of B-L475E-IOT01A / B-L4S5I-IOT01A.
UM2178 - Rev 4 |
page 8/31 |
|
|
UM2178
Folder structure
Figure 5. Middlewares folder
Wrapper to the mbed-crypto library
PKCS#11 implementation of the FreeRTOS™ PAL
Components of the secure bootloader applications
Software interface to the STSAFE-A110 secure element
FreeRTOS™ software distribution, with its embedded set of 
middleware components, demos and tests applications
Cryptographic and TLS libraries used by the bootloader 
applications
UM2178 - Rev 4 |
page 9/31 |
|
|
UM2178
Folder structure
Figure 6. Projects and Utilities folders
Bootloader and Secure Firmware Update application, relying on the soldered STSAFE-A110 secure element
FreeRTOS™ demo application, set up for the over-the-air 
firmware update use case
FreeRTOS™ configuration files
IDE project folders: 2 toolchains support
FreeRTOS™ platform abstractions implementation
UM2178 - Rev 4 |
page 10/31 |
|
|
Loading...